In order to allow me to update in a more convenient manner, the latest updates will be added to the G-SEC blog only. Once the final revision of this blog post will be achieved I will update this blog with the latest one.

After some in-house tests, we can confirm that the vulnerability presented at http://www.extendedsubset.com/ indeed real and should pose a significant threat to most. The vulnerability has been discovered by "Marsh Ray".

We are currently looking into possible mitigations and will update this blog post regularly with more information regarding said vulnerability - if available.

In general an attacker positioned in the middle of a connection may inject arbritary content into the beginning of an authenticated strea, it will be interesting to see what potential impact this vulnerability has within each of the applications / protocols supporting it. IMAPS, FTPSSL, POP3 etc

For web servers - Attackers (if in the middle) can inject data into a segment that is authenticated to the web server, the web server will merge those requests and process them. (GET requests are trivially exploitable, POST are not known to be)

Mitigations :

Monitor renegotiation requests

To mitigate possible attacks against web applications - use an IPS/IDS/Application firewall to catch recurrent HTTP request that are enclosed within each other